dopes
2009-02-16, 21:28
I recently visited a site and it opened up a PDF file automatically. My NOD32 stopped the virus, but my computer still got infected. These two files keep reappearing in my spybot, so I came here to get some help. ComboFix helped delete the annoying popups that kept appearing. VundoFix did not find any infected files.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:11 PM, on 2/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\5902xp_6033v_012208\wdm\STacSV.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Admin\Desktop\Apps\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKUS\S-1-5-21-1229272821-1614895754-839522115-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: albwel.dll
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\5902xp_6033v_012208\wdm\STacSV.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
--
End of file - 5276 bytes
[/code][code]ComboFix 09-02-15.01 - Admin 2009-02-16 2:16:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1527 [GMT -8:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
* Created a new restore point
.
ADS - WINDOWS: deleted 72 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Admin\Application Data\inst.exe
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\system32\albwel.dll
c:\windows\system32\Cache
c:\windows\system32\command.pif
c:\windows\system32\opxkblcb.dll
c:\windows\system32\ouolotmj.dll
c:\windows\system32\qoMeCusS.dll
c:\windows\system32\SsuCeMoq.ini
c:\windows\system32\SsuCeMoq.ini2
c:\windows\system32\tmp13.tmp
c:\windows\system32\tmp14.tmp
c:\windows\system32\tmp76.tmp
c:\windows\system32\tmp77.tmp
.
((((((((((((((((((((((((( Files Created from 2009-01-16 to 2009-02-16 )))))))))))))))))))))))))))))))
.
2009-02-16 02:21 . 2009-02-16 02:21 47,334 --a------ c:\windows\system32\fccaXNHb.dll
2009-02-16 01:32 . 2009-02-16 01:32 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-15 23:07 . 2009-02-15 23:07 36,352 --a------ c:\windows\system32\hgGabBSl.dll
2009-02-14 12:03 . 2009-02-14 12:03 <DIR> d-------- c:\windows\nview
2009-02-14 12:03 . 2009-02-06 09:46 453,152 --a------ c:\windows\system32\nvudisp.exe
2009-02-14 12:03 . 2009-02-16 02:21 211,251 --a------ c:\windows\system32\nvapps.xml
2009-02-14 12:03 . 2009-02-06 09:46 18,795 --a------ c:\windows\system32\nvdisp.nvu
2009-02-10 15:43 . 2009-02-10 15:59 <DIR> d-------- c:\program files\GCFScape
2009-02-05 12:50 . 2009-02-05 12:50 42,320 --a------ c:\windows\system32\xfcodec.dll
2009-01-27 18:06 . 2009-01-27 18:06 <DIR> d-------- c:\program files\Illustrate
2009-01-27 18:06 . 2009-01-27 18:06 131,072 --a------ c:\windows\system32\SpoonUninstall.exe
2009-01-27 18:06 . 2009-01-27 18:06 36,104 --a------ c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2009-01-27 18:06 . 2009-01-27 18:06 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.bmp
2009-01-25 01:52 . 2009-01-25 22:34 1,374 --a------ c:\windows\imsins.BAK
2009-01-25 01:51 . 2009-01-25 01:51 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-24 12:23 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2009-01-24 12:23 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-01-21 17:02 . 2009-01-21 17:02 <DIR> d-------- c:\documents and settings\Admin\Application Data\Microsoft Games
2009-01-21 15:35 . 2009-01-21 15:35 <DIR> d-------- c:\program files\Microsoft Games
2009-01-20 18:58 . 2009-01-20 18:59 <DIR> d-------- c:\program files\SystemRequirementsLab
2009-01-20 18:58 . 2009-01-20 18:58 <DIR> d-------- c:\documents and settings\Admin\Application Data\SystemRequirementsLab
2009-01-20 17:06 . 2009-01-20 17:06 361,600 --a------ c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-01-18 21:12 . 2009-01-18 21:12 <DIR> d--hs---- C:\Diskeeper
2009-01-18 17:45 . 2009-01-18 17:51 <DIR> d-------- c:\program files\Dyyno
2009-01-18 16:39 . 2008-03-03 14:25 5,702 --ah----- c:\windows\nod32restoretemdono.reg
2009-01-18 16:39 . 2008-03-03 18:21 568 --ah----- c:\windows\nod32fixtemdono.reg
2009-01-18 16:38 . 2009-01-18 16:38 <DIR> d-------- c:\program files\ESET
2009-01-18 16:38 . 2009-01-18 16:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2009-01-17 12:14 . 2009-01-17 12:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Diskeeper Corporation
2009-01-17 09:10 . 2009-01-17 09:10 151 --a------ c:\windows\PhotoSnapViewer.INI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-16 10:14 --------- d-----w c:\documents and settings\Admin\Application Data\Xfire
2009-02-16 10:13 --------- d-----w c:\program files\PeerGuardian2
2009-02-16 10:13 --------- d-----w c:\documents and settings\Admin\Application Data\uTorrent
2009-02-16 10:12 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-16 07:12 --------- d-----w c:\program files\Steam
2009-02-15 18:26 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-15 18:26 --------- d-----w c:\program files\SpywareBlaster
2009-02-12 05:49 --------- d-----w c:\program files\Xfire
2009-02-11 10:19 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-09 05:00 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-09 00:03 --------- d-----w c:\program files\Silkroad
2009-02-07 18:27 --------- d-----w c:\program files\StepMania
2009-02-06 17:46 6,307,392 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2009-01-22 00:25 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-21 01:25 361,600 ----a-w c:\windows\system32\drivers\TCPIP.SYS
2009-01-19 17:39 --------- d-----w c:\program files\AIM
2009-01-16 03:54 --------- d-----w c:\program files\CoreCodec
2009-01-09 03:36 --------- d-----w c:\program files\CCleaner
2008-12-29 23:21 --------- d-----w c:\program files\AMD
2008-12-29 19:52 --------- d-----w c:\documents and settings\Admin\Application Data\TortoiseSVN
2008-12-29 19:46 --------- d-----w c:\documents and settings\Admin\Application Data\Subversion
2008-12-29 19:43 --------- d-----w c:\program files\TortoiseSVN
2008-12-29 19:43 --------- d-----w c:\program files\Common Files\TortoiseOverlays
2008-12-22 05:21 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-21 21:07 --------- d-----w c:\documents and settings\Admin\Application Data\Nitroplus
2008-12-21 21:03 --------- d-----w c:\program files\Nitroplus
2008-12-20 21:00 720,896 -c--a-w c:\windows\iun6002.exe
2008-12-20 21:00 --------- d-----w c:\program files\TuneXP
2008-12-14 23:17 47,360 ----a-w c:\documents and settings\Admin\Application Data\pcouffin.sys
2008-10-29 01:41 22,328 ----a-w c:\documents and settings\Admin\Application Data\PnkBstrK.sys
2008-02-02 08:51 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.
------- Sigcheck -------
2007-10-30 08:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 02:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 03:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 03:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 02:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys
2008-04-13 23:50 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
2009-01-20 17:25 361600 d24ea301e2b36c4e975fd216ca85d8e7 c:\windows\system32\dllcache\TCPIP.SYS
2009-01-20 17:25 361600 d24ea301e2b36c4e975fd216ca85d8e7 c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43d83b89-b723-4273-aaa7-b924092c89ef}]
2009-02-16 02:22 129024 --a------ c:\windows\system32\frluum.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2009-02-15 23:07 36352 --a------ c:\windows\system32\hgGabBSl.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B921051B-F4D3-4419-A6E1-8464E54DD6C2}]
2009-02-16 02:21 302592 --a------ c:\windows\system32\mlJCRkKE.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-06 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-06 86016]
"nwiz"="nwiz.exe" [2009-02-06 c:\windows\system32\nwiz.exe]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\hgGabBSl.dll" [2009-02-15 36352]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGabBSl]
2009-02-15 23:07 36352 c:\windows\system32\hgGabBSl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=albwel.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\mlJCRkKE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RivaTunerStartupDaemon]
--a------ 2008-09-16 09:15 2715648 c:\program files\RivaTuner v2.11\RivaTuner.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LmHosts"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\fear2spdemo\\FEAR2SPDemo.exe"=
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-02-20 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-02-20 472320]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2001-08-23 3584]
S3 XDva186;XDva186;\??\c:\windows\system32\XDva186.sys --> c:\windows\system32\XDva186.sys [?]
S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys --> c:\windows\system32\XDva190.sys [?]
S3 XDva195;XDva195;\??\c:\windows\system32\XDva195.sys --> c:\windows\system32\XDva195.sys [?]
S4 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\documents and settings\Admin\Local Settings\Temp\WZSE0.TMP\installservice.exe --> c:\documents and settings\Admin\Local Settings\Temp\WZSE0.TMP\installservice.exe [?]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
- - - - ORPHANS REMOVED - - - -
BHO-{6F28C1FB-A4F9-4928-9DC5-CB7FA6F169BB} - c:\windows\system32\qoMeCusS.dll
Notify-WgaLogon - (no file)
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\rvs3sbo6.default\
FF - plugin: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\rvs3sbo6.default\extensions\NPDyyno@dyyno.com\plugins\npDyyno.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Dyyno\Dyyno Player\npvlc.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 02:21:30
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\EKkRCJlm.ini
c:\windows\system32\mlJCRkKE.dll 302592 bytes executable
scan completed successfully
hidden files: 2
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1229272821-1614895754-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:92,56,3d,7e,b7,fc,56,ef,35,4d,3c,b0,c7,c0,75,1a,1f,b6,9a,20,8f,
2d,3d,b8,8a,ba,d3,b2,7e,01,99,cc,e1,3f,bd,d3,4d,c1,fc,da,a1,5f,05,41,f6,a5,\
"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0E1ED8F5-B610-42B3-CB1C-6DC38D7482B7}\InProcServer32*]
"jannkmjbhbedmpedefcp"=hex:6b,61,6b,6d,65,6a,6d,6a,6e,66,6f,6c,6c,64,6a,66,6c,
61,69,61,70,64,00,00
"iannenhlcnephdmcpa"=hex:6b,61,6b,6d,65,6a,6d,6a,6e,66,6f,6c,6c,64,6a,66,6c,61,
69,61,70,64,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\hgGabBSl.dll
- - - - - - - > 'explorer.exe'(3976)
c:\windows\system32\sappevsa.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\mlJCRkKE.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\IDT\5902XP_6033V_012208\WDM\stacsv.exe
c:\windows\system32\dllhost.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\taskmgr.exe
c:\windows\system32\rundll32.exe
c:\program files\Mozilla Firefox\firefox.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2009-02-16 2:25:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-16 10:25:32
Pre-Run: 39,110,438,912 bytes free
Post-Run: 39,025,442,816 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /usepmtimer /TUTag=W19SBX /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional (TuneUp Backup)" /fastdetect /NoExecute=OptIn /usepmtimer /TUTag=W19SBX-BAK
286 --- E O F --- 2009-02-11 10:19:56
Also, I have uninstalled all my Adobe programs.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Do NOT run 'FIXES' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806 )
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:11 PM, on 2/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\5902xp_6033v_012208\wdm\STacSV.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Admin\Desktop\Apps\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKUS\S-1-5-21-1229272821-1614895754-839522115-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: albwel.dll
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\5902xp_6033v_012208\wdm\STacSV.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
--
End of file - 5276 bytes
[/code][code]ComboFix 09-02-15.01 - Admin 2009-02-16 2:16:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1527 [GMT -8:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
* Created a new restore point
.
ADS - WINDOWS: deleted 72 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Admin\Application Data\inst.exe
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\system32\albwel.dll
c:\windows\system32\Cache
c:\windows\system32\command.pif
c:\windows\system32\opxkblcb.dll
c:\windows\system32\ouolotmj.dll
c:\windows\system32\qoMeCusS.dll
c:\windows\system32\SsuCeMoq.ini
c:\windows\system32\SsuCeMoq.ini2
c:\windows\system32\tmp13.tmp
c:\windows\system32\tmp14.tmp
c:\windows\system32\tmp76.tmp
c:\windows\system32\tmp77.tmp
.
((((((((((((((((((((((((( Files Created from 2009-01-16 to 2009-02-16 )))))))))))))))))))))))))))))))
.
2009-02-16 02:21 . 2009-02-16 02:21 47,334 --a------ c:\windows\system32\fccaXNHb.dll
2009-02-16 01:32 . 2009-02-16 01:32 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-15 23:07 . 2009-02-15 23:07 36,352 --a------ c:\windows\system32\hgGabBSl.dll
2009-02-14 12:03 . 2009-02-14 12:03 <DIR> d-------- c:\windows\nview
2009-02-14 12:03 . 2009-02-06 09:46 453,152 --a------ c:\windows\system32\nvudisp.exe
2009-02-14 12:03 . 2009-02-16 02:21 211,251 --a------ c:\windows\system32\nvapps.xml
2009-02-14 12:03 . 2009-02-06 09:46 18,795 --a------ c:\windows\system32\nvdisp.nvu
2009-02-10 15:43 . 2009-02-10 15:59 <DIR> d-------- c:\program files\GCFScape
2009-02-05 12:50 . 2009-02-05 12:50 42,320 --a------ c:\windows\system32\xfcodec.dll
2009-01-27 18:06 . 2009-01-27 18:06 <DIR> d-------- c:\program files\Illustrate
2009-01-27 18:06 . 2009-01-27 18:06 131,072 --a------ c:\windows\system32\SpoonUninstall.exe
2009-01-27 18:06 . 2009-01-27 18:06 36,104 --a------ c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2009-01-27 18:06 . 2009-01-27 18:06 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.bmp
2009-01-25 01:52 . 2009-01-25 22:34 1,374 --a------ c:\windows\imsins.BAK
2009-01-25 01:51 . 2009-01-25 01:51 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-24 12:23 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2009-01-24 12:23 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-01-21 17:02 . 2009-01-21 17:02 <DIR> d-------- c:\documents and settings\Admin\Application Data\Microsoft Games
2009-01-21 15:35 . 2009-01-21 15:35 <DIR> d-------- c:\program files\Microsoft Games
2009-01-20 18:58 . 2009-01-20 18:59 <DIR> d-------- c:\program files\SystemRequirementsLab
2009-01-20 18:58 . 2009-01-20 18:58 <DIR> d-------- c:\documents and settings\Admin\Application Data\SystemRequirementsLab
2009-01-20 17:06 . 2009-01-20 17:06 361,600 --a------ c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-01-18 21:12 . 2009-01-18 21:12 <DIR> d--hs---- C:\Diskeeper
2009-01-18 17:45 . 2009-01-18 17:51 <DIR> d-------- c:\program files\Dyyno
2009-01-18 16:39 . 2008-03-03 14:25 5,702 --ah----- c:\windows\nod32restoretemdono.reg
2009-01-18 16:39 . 2008-03-03 18:21 568 --ah----- c:\windows\nod32fixtemdono.reg
2009-01-18 16:38 . 2009-01-18 16:38 <DIR> d-------- c:\program files\ESET
2009-01-18 16:38 . 2009-01-18 16:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2009-01-17 12:14 . 2009-01-17 12:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Diskeeper Corporation
2009-01-17 09:10 . 2009-01-17 09:10 151 --a------ c:\windows\PhotoSnapViewer.INI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-16 10:14 --------- d-----w c:\documents and settings\Admin\Application Data\Xfire
2009-02-16 10:13 --------- d-----w c:\program files\PeerGuardian2
2009-02-16 10:13 --------- d-----w c:\documents and settings\Admin\Application Data\uTorrent
2009-02-16 10:12 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-16 07:12 --------- d-----w c:\program files\Steam
2009-02-15 18:26 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-15 18:26 --------- d-----w c:\program files\SpywareBlaster
2009-02-12 05:49 --------- d-----w c:\program files\Xfire
2009-02-11 10:19 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-09 05:00 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-09 00:03 --------- d-----w c:\program files\Silkroad
2009-02-07 18:27 --------- d-----w c:\program files\StepMania
2009-02-06 17:46 6,307,392 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2009-01-22 00:25 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-21 01:25 361,600 ----a-w c:\windows\system32\drivers\TCPIP.SYS
2009-01-19 17:39 --------- d-----w c:\program files\AIM
2009-01-16 03:54 --------- d-----w c:\program files\CoreCodec
2009-01-09 03:36 --------- d-----w c:\program files\CCleaner
2008-12-29 23:21 --------- d-----w c:\program files\AMD
2008-12-29 19:52 --------- d-----w c:\documents and settings\Admin\Application Data\TortoiseSVN
2008-12-29 19:46 --------- d-----w c:\documents and settings\Admin\Application Data\Subversion
2008-12-29 19:43 --------- d-----w c:\program files\TortoiseSVN
2008-12-29 19:43 --------- d-----w c:\program files\Common Files\TortoiseOverlays
2008-12-22 05:21 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-21 21:07 --------- d-----w c:\documents and settings\Admin\Application Data\Nitroplus
2008-12-21 21:03 --------- d-----w c:\program files\Nitroplus
2008-12-20 21:00 720,896 -c--a-w c:\windows\iun6002.exe
2008-12-20 21:00 --------- d-----w c:\program files\TuneXP
2008-12-14 23:17 47,360 ----a-w c:\documents and settings\Admin\Application Data\pcouffin.sys
2008-10-29 01:41 22,328 ----a-w c:\documents and settings\Admin\Application Data\PnkBstrK.sys
2008-02-02 08:51 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.
------- Sigcheck -------
2007-10-30 08:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 02:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 03:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 03:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 02:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys
2008-04-13 23:50 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
2009-01-20 17:25 361600 d24ea301e2b36c4e975fd216ca85d8e7 c:\windows\system32\dllcache\TCPIP.SYS
2009-01-20 17:25 361600 d24ea301e2b36c4e975fd216ca85d8e7 c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43d83b89-b723-4273-aaa7-b924092c89ef}]
2009-02-16 02:22 129024 --a------ c:\windows\system32\frluum.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2009-02-15 23:07 36352 --a------ c:\windows\system32\hgGabBSl.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B921051B-F4D3-4419-A6E1-8464E54DD6C2}]
2009-02-16 02:21 302592 --a------ c:\windows\system32\mlJCRkKE.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-06 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-06 86016]
"nwiz"="nwiz.exe" [2009-02-06 c:\windows\system32\nwiz.exe]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\hgGabBSl.dll" [2009-02-15 36352]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGabBSl]
2009-02-15 23:07 36352 c:\windows\system32\hgGabBSl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=albwel.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\mlJCRkKE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RivaTunerStartupDaemon]
--a------ 2008-09-16 09:15 2715648 c:\program files\RivaTuner v2.11\RivaTuner.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LmHosts"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\fear2spdemo\\FEAR2SPDemo.exe"=
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-02-20 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-02-20 472320]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2001-08-23 3584]
S3 XDva186;XDva186;\??\c:\windows\system32\XDva186.sys --> c:\windows\system32\XDva186.sys [?]
S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys --> c:\windows\system32\XDva190.sys [?]
S3 XDva195;XDva195;\??\c:\windows\system32\XDva195.sys --> c:\windows\system32\XDva195.sys [?]
S4 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\documents and settings\Admin\Local Settings\Temp\WZSE0.TMP\installservice.exe --> c:\documents and settings\Admin\Local Settings\Temp\WZSE0.TMP\installservice.exe [?]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
- - - - ORPHANS REMOVED - - - -
BHO-{6F28C1FB-A4F9-4928-9DC5-CB7FA6F169BB} - c:\windows\system32\qoMeCusS.dll
Notify-WgaLogon - (no file)
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\rvs3sbo6.default\
FF - plugin: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\rvs3sbo6.default\extensions\NPDyyno@dyyno.com\plugins\npDyyno.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Dyyno\Dyyno Player\npvlc.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 02:21:30
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\EKkRCJlm.ini
c:\windows\system32\mlJCRkKE.dll 302592 bytes executable
scan completed successfully
hidden files: 2
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1229272821-1614895754-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:92,56,3d,7e,b7,fc,56,ef,35,4d,3c,b0,c7,c0,75,1a,1f,b6,9a,20,8f,
2d,3d,b8,8a,ba,d3,b2,7e,01,99,cc,e1,3f,bd,d3,4d,c1,fc,da,a1,5f,05,41,f6,a5,\
"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0E1ED8F5-B610-42B3-CB1C-6DC38D7482B7}\InProcServer32*]
"jannkmjbhbedmpedefcp"=hex:6b,61,6b,6d,65,6a,6d,6a,6e,66,6f,6c,6c,64,6a,66,6c,
61,69,61,70,64,00,00
"iannenhlcnephdmcpa"=hex:6b,61,6b,6d,65,6a,6d,6a,6e,66,6f,6c,6c,64,6a,66,6c,61,
69,61,70,64,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\hgGabBSl.dll
- - - - - - - > 'explorer.exe'(3976)
c:\windows\system32\sappevsa.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\mlJCRkKE.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\IDT\5902XP_6033V_012208\WDM\stacsv.exe
c:\windows\system32\dllhost.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\taskmgr.exe
c:\windows\system32\rundll32.exe
c:\program files\Mozilla Firefox\firefox.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2009-02-16 2:25:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-16 10:25:32
Pre-Run: 39,110,438,912 bytes free
Post-Run: 39,025,442,816 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /usepmtimer /TUTag=W19SBX /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional (TuneUp Backup)" /fastdetect /NoExecute=OptIn /usepmtimer /TUTag=W19SBX-BAK
286 --- E O F --- 2009-02-11 10:19:56
Also, I have uninstalled all my Adobe programs.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Do NOT run 'FIXES' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806 )